If a Financial Institution Mishandles My Data, What Recourse Do I Have?

grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.

The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?

Not a laywer.

You know a lawyer could lose their license if they gave advice to you in this situation (they'd be representing you).

Your options are: find a lawyer.

Re: Not a laywer.

CFPB has regulations against sending such info in plain emails. Bank can get seriously fined.

Re: Not a laywer.

[Sique]

HOW DOES SENDING EMAIL OVER ENCRYPTED CHANNELS "PREVENT" EMAIL ADDRESS TYPOS?

It does insofar as the public keys of the intended receiver and the actual receiver don't match, and thus the actual receiver gets nothing but encrypted gibberish, thus no data is leaked.

Re: Not a laywer.

[itzly]

Public keys ? There is no established infrastructure for public key encryption of e-mail.

Re: Not a laywer.

[JonathanR]

OpenPGP. Signed and encrypted; eliminates unintended recipients from reading the contents; guarantees the sender.

Re: Not a laywer.

[MightyYar]

OpenPGP would happily decrypt for the correct (but incorrectly typed-in) address. It would not prevent a typo.

My bank sends statements via email, but they are a password protected PDF that itself downloads a PDF. I have no idea why this is superior to sending a web link, but this is what they do.

Re: Not a laywer.

[wvmarle]

Encrypted e-mail is to this day not straightforward, if possible at all. I just checked my e-mail client, Claws Mail. It doesn't have an option to encrypt e-mail. Maybe in an extension; it's not in the client itself. Using encryption securely is hard, really hard. So many ways it can go wrong, so easy to make a mistake and compromise your key making the whole thing moot.

Furthermore, I don't know of any current standard for e-mail encryption that is widely supported. No idea on how to create a key - let alone how to securely and easily exchange keys with random recipients (like a client who calls me asking me to send them some information by e-mail).

Now imagine e-mail encryption is commonplace. The obvious way to send an encrypted mail to someone would be to pull their public key from some kind of repository (which as yet doesn't exist but let's just imagine it does and that every e-mail address that's in use has a key pair) - the one that belongs to their e-mail address - the e-mail address you're going to send the information to - and which may be someone else's entirely as I wrote it down incorrectly. So while anyone in transit can not read it, the recipient of the e-mail will have the private key (after all, it's the public key that belongs to that e-mail address). So this doesn't solve the problem at hand!

I won't say e-mail encryption is useless, it does help snooping on the way, but it is also definitely not the one all end all.

Re: Not a laywer.

[CronoCloud]

I just checked my e-mail client, Claws Mail. It doesn't have an option to encrypt e-mail. Maybe in an extension; it's not in the client itself.

Claws Mail supports both GnuPG and S/MIME encryption by default. The reason you don't have an option is that you haven't configured/setup claws-mail to do so.

Furthermore, I don't know of any current standard for e-mail encryption that is widely supported.

Any good e-mail client supports BOTH GnuPG and S/MIME.

No idea on how to create a key

Applications>Accessories>Passwords & Keys. File>New>PGP Key

let alone how to securely and easily exchange keys with random recipients (like a client who calls me asking me to send them some information by e-mail).

You can use out-of-band methods, or just use keyservers.

The obvious way to send an encrypted mail to someone would be to pull their public key from some kind of repository (which as yet doesn't exist

They do exist, they're called keyservers.

[CronoCloud ~]$ keylookup --frontend=plain Rob Malda
gpg: searching for "Rob Malda" from hkp server subkeys.pgp.net
1024R/BA9146D5239BB413 2000-2-9
                          Rob Malda <malda@slashdot.org>
 
1024D/D86FEB1F6CE3D482857AEB2809C2DB458662850F 1999-7-7
                          Rob Malda <malda@slashdot.org>
 
Now run gpg --recv-keys <key ids>

Re: Not a laywer.

[TapeCutter]

The password protected pdf thing is pretty common, they ask you to pick a password when you call to request the paperwork.

Re: Not a laywer.

[Sloppy]

That's funny, because the submitter claimed the bank had her "name, address, date of birth, social security number, drivers license number and bank account information." It's almost as though they might have met her (in some form), got a lot of information from her (you can ask for all that stuff but not a fingerprint?) and authenticated her. Typos aside, you have to authenticate anyway, otherwise I could take out a loan in the submitter's sister's name, and give them my email address which they correctly enter.

In a situation like that, where you're already authenticating, you don't even need an "infrastructure," or rather, you're building the infrastructure right there. After that meeting, the bank and the customer can sign each other and add the connection to the WoT so that the next person (who knows one of the parties but not the other) will have it.

Oh right, the WoT. So there is already an existing infrastructure but people just aren't using it so it's still missing a lot of people.

Not over the phone

[OolimPhon]

I wouldn't give out my email address over the phone.

This is because it is fairly long and easy to miss-spell.

Instead, I send an email to the bank, using their email address, and of course my correct addy is then available as Sender.

This step ensures we both know we are talking to each other.

This can only help if you are talking to a financial institution.

Technophobic bureaucrats

[GenieGenieGenie]

One of the main problems here is that people are given these technologies without understanding them completely. When I was working in the US, I made a big fuss once at my workplace about sending sensitive documents in unencrypted emails and was treated like I was hysterical and unreasonable. I managed to coerce the morons in charge to do this, but the incident was turned into a laughing matter from that point on. It's hard to convince drawer-minded bureaucrats to change their behavior when there aren't any regulations, created by other drawer-minded bureaucrats, that specify how it is that they should actually behave. I mean, god forbid, they might need to resort to independent thinking and resolution.

Re:Technophobic bureaucrats

[fuzzyfuzzyfungus]

Aside from understanding, you also have to care. And not just care; but care enough to overcome the practical inconveniences of doing it properly, especially if everyone around you doesn't understand why you are wasting time with the 'unnecessary' extra steps.

Depending on the situation, not caring can easily be a greater obstacle than not understanding. This is the major reason why the existence of regulations carries weight. Regulations aren't very educational; but it is very, very, easy to understand 'doing X violates The Rules', while the logic behind The Rules can be of any level of complexity, or nonexistent. On the minus side, this means that arbitrarily stupid practices can be incorporated into The Rules without challenge. On the plus side, this means that brutally complex; but necessary, procedures can be laid out without the need to explain them to everyone from first principles.

Re:Technophobic bureaucrats

[Xest]

Yep, it's amazing how many just don't get it.

I used to work for an engineering firm doing development, but prior to that my experience was in network administration. The IT department was managed by an engineer who had zero IT experience but took the job when the firm split from it's other half years before and the other half took all the IT staff, and all his staff were just people who had moved sideways. The net result was an IT department run wholly by amateurs wanting to be professionals.

Because I had real actual IT experience of a 10,000 user network from my previous job I tended to help them a lot, and I really didn't mind that, and they appreciated it.

But there were some things they just wouldn't get, security was one. I told them time and time again about the complete and utter lack of security and security policy and explained the risks. I was frankly laughed at by everyone in IT and even the directors and CEO I mentioned it to. I was told I was paranoid and being silly, and why would they ever be a hacking target, because it's not like they were drilling in the arctic or suing people for copyright infringement. All this was true despite the fact I'd set up a firewall around my net facing dev servers even if they weren't going to properly defend the rest of the company and I provided them IDS logs showing many probes from countries such as China and a number of South American countries like Colombia and Argentina, where they were also active and had an office.

It's a shame because they actually had a proper R&D department and had some genuinely unique data, designs and techniques for the field in question, I left there about 7 years ago, and in the time since I'm aware that they repeatedly became loss making, in part because of the recession, but primarily because it turns out a company in China started doing everything they could do cheaper and had to have had all their data. This didn't particularly surprise me because they had on a number of occasions had problems with Chinese sales staff probing for more information than necessary when visiting the UK offices - it seemed pretty clear someone in China was interested in entering that industry, and probes on my dev servers from China were more prolific than anything I'd seen before and since. They have now been consumed by a German company and asset stripped for the remaining useful bits of IP, but are gone as an individual company - a good hundred or so jobs were lost.

This is the greatest example I've witnessed personally where IT security and ignoring the risks due to naivety led to tragic consequences. It's possible they wouldn't have survived the prolonged downturn regardless, but it's pretty clear that espionage accelerated their end.

But what do you do? If they don't listen to the warnings and advice I don't see how you can help them. There was an attempt to shift the responsibility onto me ("You write the security document and implement the procedures if you think we need them"), of writing the security policy, implementing all the measures, but I wasn't there for that, I'd moved into development precisely because I wanted to get out of that and whilst I said I'd be happy to train and review I wasn't willing to let it become my full time job - I didn't see why I should be forced into a job I hated because IT didn't want to do the job they were supposed to be doing, hence why I left.

It's a shame that so many places learn the lesson too late, or not at all in some cases (e.g. Sony).

Is she sure she told them the correct address?

[Richard_at_work]

I have a firstnamelastname@gmail email address (you can see it above this post), and I get a *lot* of correspondence for other me's out there - bank details, divorce proceedings, legal proceedings, a long running internal discussion surrounding someones cock up in the Republican Party in the US, internal memos for several political parties around the globe.

I've enjoyed free Netflix subscriptions (thanks!), invites to various exclusive clubs (not so great, most of them are in the US) and family meet ups. I know the progress of several children's schooling in Canada and the US, including an incident where the child was suspended for 3 days for kicking the teacher. I've had the ability to cancel several ISP connections, including business ones. Details of medical appointments and procedures, insurance documents etc etc.

I've also been threatened with legal action for simply owning the email address and not handing it over - twice now. Yes, apparently there are other me's out there that think they have a right to this email address.

So in short, without a recording of the telephone conversation, I wouldn't be so sure that it wasn't your sister that got the address wrong.

Re:Is she sure she told them the correct address?

[complete+loony]

Still, none of this personal information should ever be sent unencrypted over email.

Re:Is she sure she told them the correct address?

[tom17]

I too have this gmail phenomenon. There are some instances where I have received e-mails from multiple sources, all to the same 'other me' (A little more ambiguous in my case as it's first initial then surname).

Some people just assume they have this e-mail.

And in true spirit of 'there's an XKCD of this', this one was always pretty relevant for me lol... http://xkcd.com/1279/

Re:Is she sure she told them the correct address?

[Registered+Coward+v2]

I have a firstnamelastname@gmail email address (you can see it above this post), and I get a *lot* of correspondence for other me's out there - bank details, divorce proceedings, legal proceedings, a long running internal discussion surrounding someones cock up in the Republican Party in the US, internal memos for several political parties around the globe.

Same here. I usually reply with a "wrong person, please verify the email address" and get a thanks in reply. No legal threats, which would get a nice FU response from my lawyer, but I did have some idiot IT admin insist, repeatedly, the address was correct and that they would continue to send me the emails. He did't seem to understand that ignoring periods in email addresses complied with the RFC no matter what he thought. I said OK, but be advised that I make no assurance as to the privacy of the information and consider anything sent to me to be mine free to use as I see fit. Given it was a private school I figured sooner or later the parent would figure out what was happening when they didn't get important emails from the school and straighten out the situation. Sure enough, the emails eventually stopped. On my end I simply sent them to junk mail marked as spam as I had no real interest in reading conversations intended as private.

I also wound up on a political email list and after several nice polite requests to be dropped I started flame wars by pointing out every inaccuracy in the right wing rants that constituted the list. I figured if they ignored my nice requests they wanted an alternative opinion and I was happy to supply it. It was a bit like shooting fish in a barrel since they clearly were relative newbies and never had been seriously trolled, been involved in USENET flame wars, read ALT.FOLKLORE.URBAN, or in general realized this Internet Thing reached people beyond their political slant. Eventually the list owner banned me and stopped sending me the emails, ending the fun.

From a security perspective...

[pehrs]

Frankly, the risk of somebody doing something nefarious with the information they got it pretty low. Even on the internet the wast majority of people are nice and behave like decent human beings. Most people don't even know how they could use that information for financial gain. So if you go to a court you will have a hard time proving actually damage for what is obvious a mistake, which means any recuperation is either going to be based on good will or specific laws covering data breaches.

In a larger perspective, you are right now encountering (and worrying about) a fundamental flaw in the way many American business work. There is a big confusion between identity, authentication and authorization. Identity (name, address, date of birth, social security number, bank account etc,) is not the same as authentication (I am the Identity) nor authorization (I am allowed to act as the Identity). None of the information the bank leaked really should be secret, and in Europe you could probably find most of it (except for bank account numbers) in public databases.

Why do they email it in the first place?

[houghi]

Just curious, but why did they email any of that information in the first place.
Where I live, the ONLY information I ever get from my bank is that my statement is available online. That's it.
The reason is that everybody should understand that banks don't send anything else.

If something needs to be signed, I will download it or I will get to them and sign it there. There is no reason to send me any other information I already have.

I know people who have asked the bank to send them papers to sign via email and the bank said no.

Re:The switch could make things worst

[gnasher719]

Since similar usernames can also mean similar full names, it could make identity theft that much easier for that other person bearing a similar name as your sister.

On the other hand, the bank should know who they sent that information to. If I was by mistake given the keys to my neighbours home, and the person who gave me the keys knew who they gave them to, I would be an idiot to break into my neighbours house using these keys.

Bank Security?

[tigersha]

I use a specific email address for any org that I deal with, something like @my.address.net So I can see who I get spam/malware from and I can block specific senders.

I used a specific_bank@my.address.net for a loan application once and I got malware from that bank a year or so late. I certainly did not use the email for anything else. The BANK had a virus somewhere that harvested my email and God knows what. I transferred the loan to another institute.

This is in Germany where there are actual laws about this.

Re:You are probably SOL...

[fuzzyfuzzyfungus]

As best I can tell, "identity theft" is a brilliant invention on the part of institutions that are too lazy to authenticate people: as if by magic, this construction transforms fraud perpetrated against them into your problem. "Ooh, your identity got stolen, that sucks. Have fun fighting with the credit reporting agencies forever." rather than "Oh, another instance of fraud by impersonation against our pitifully weak systems. Maybe we have to do something about that..."

I have to admit, it's elegant enough that I'd be forced to shake the hand of the person responsible before punching him in the face, just as a gesture of respect for carrying off something that audacious successfully.

Re:IANAL but..

[Hognoxious]

Anyone claiming to be a lawyer on Slashdot, or indeed on the internet in general, is probably lying.

If they are a lawyer, they're definitely lying.

Use your state laws, the CFPB and Investor Relat.

I work in IT security for a bank. Your plan of attack depends on the state where you live, how your bank is chartered (state charter or federal charter) and how large your bank is with respect to the dollar amount of assets. If they are above ten billion in assets they are subject to more regulations.

The federal laws are incredibly weak on this matter because the banks contribute so much to lobbying. The only federal regulator that scares the banks is the Consumer Financial Protection Bureau, www.consumerfinance.gov. They have an online complaint form. The primary regulator for banks is the Office of the Comptroller of the Currency www.occ.gov, but they are seen as weak on data protection matters. Lately they have been making a lot of noise about cybersecurity being a high priority but only from the hacking aspect and not consumer data protection.

The CFPB and the state laws are your best legal avenue. A certified letter to them as well as to the OCC will get attention. ALWAYS send a letter by certified mail as well as using an online method. Certified mail gets a lot of attention because that is how legal matters arrive.

It is not up to you to make sure the bank is using the correct contact information; it's up to the bank to validate it somehow and to protect the information while it is in transit and at rest on your ISP's mail server (yes, and that means no sending of unencrypted confidential docs by email). For email it's a preceding exchange of emails to validate the email address and the use of encryption on the files. You also could contact your local newspaper (if you still have one) or the local TV investigative reporter. If the bank is doing something so incredibly stupid with email they probably are doing other stupid things and TV stations love that kind of dirt. I'd also complain to your state Attorney General office in writing. New York has an incredibly proactive AG office on these matters. I'd also use the bank's Investor Relations contact information to make a complaint. That method is far, far more effective than trying to guess the CEO's email address. Every company watches their Investor Relations email or contact page closely, not just banks.

Your bank "told" you that they do not have any type of secure document delivery service. They also told you that they do not have a properly configured, if indeed any, type of Data Loss Prevention application or program. What they did NOT tell you is whether they used encrypted email. There is a form of automatic email encryption called TLS that transparently encrypts email between servers. Gmail sends and receives TLS email by default. So it's entirely possible that they did use TLS email to encrypt it across the Internet. www.checktls.com can tell you whether your email provider and the bank can use TLS email.

Good luck.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Bank Security

[Old+Aylesburian]

I live in the UK. My bank wants me to sign up for internet banking, but they will not use email to request an appointment. Apparently the internet is safe enough for _my_ money, but not _their_ letters.

GLBA

[Pagey123]

Disclaimer: I work for a small community bank. In the US, all banks are required to adhere to the Gramm-Leach-Bliley Act (GLBA). See: http://en.wikipedia.org/wiki/G...

As such, banks are required by both their state and federal regulators to follow a series of basic security protocols as laid out in the FFIEC IT Examination Handbook. Google this document for further details.

I'm not sure what recourse she would have, specifically, under GLBA, but if she is truly interested in following up on this mistake by the bank, the place to begin would be consulting an attorney and contacting either the FDIC or the state's Department of Financial Institutions to make a formal complaint. Banks are usually required to have a formal complaint resolution process in place, and they are required to respond to both FDIC and state regulatory complaints as well.

one and only piece of advice

[ihtoit]

Locate your State's Regulatory Data Commissioner. For CT, that would be the Ct. Banking Commissioner, via the Department of Banking, 260 Constitution Plaza, Hartford 06103-1800, and report as a protected data breach giving full details. They will carry it to closure. Contact there is the office of Bruce Adams, on (860) 240-8100.

HTH.

Re:You are probably SOL...

[mrchaotica]

In a sane and just world, a credit reporting agency giving out incorrect information would be considered libel.

Re:good grief, over-entitled twit

[cdrudge]

Email? Not sure about. How do you verify who you are with many people having unsecured email accounts on home computers, cell phones, etc.

My doctor has a secure portal where I can ask questions, read replies, see what my recent prescriptions were for and dosage, find out results of lab work if the doctor has released them, etc. Quite handy. More inconvenient than just email, but a lot better than nothing.

Encryption the easy way

[nehumanuscrede]

Many places that handle this type of data will encrypt it and direct you to a https link to download it. When you hit the site, you'll be asked for a password that was given to you by the folks on the phone. It will then decrypt the contents and allow you to download it right to your machine.

They know most folks are incapable of implementing or even understanding encryption, thus the simplified method above.

Banks ( and any institution that handles SPI data ) will get their ass handed to them for exposing that data. ( and they know it ) SPI data is the primary reason all laptops for my company are full disk encryption. Losing a laptop isn't news. Losing one with 100k Social Security numbers, bank accounts, or Customer names, passwords, addresses DOES make the news.

They're paranoid about it ( and rightfully so ) and will fire you on the spot if your actions expose SPI data of any kind.

*SPI = Sensitive Personal Information